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Mr. Fred S, Hoffman, PIASD/Public Affairs: Good afternoon. W brought down 
tro of our experts to discuss with you the scope of the computer virus that you 
are all interest in. Dr. Raymond S. Colladay, is Director of the Defense Advanced 
Projects Agency, and with him is Col. Tan Herrick, Deputy Director of the Defense 
Communication's Agency Data Program Systens and Program Manager of the Defense 
EUta Nevrork. Dr. Colladay will have a brief opening statement and then take 
your questions, Dr. Colladay. 

Dr. Colladay: W first detected a virus in the systan of the network late 
Wednesday afternoon, actually it was about 6 o'clock. Pacific Time, on Wednesday 
afternoon, and immediately threw into action the experts that went to woik to 
try and isolate arid fence off this particular virus. That was successful. The 
virus was identified. The program was debugged and the trap doors were identi¬ 
fied that would separate it off and then immunize the rest of the system. 

It came in through a debugging feature on the electronic mail, by a 
user. It did not affect the protocol or the operating systen of the ARFA 
net. Chce that that was identified we could easily find a fix for it. That 
was communicated to all the users on the network. At this time, we feel 
confident that the problem has been solved; that the program that caused the 
problem has been isolated and that the system, the network is imnxne to any 
further problem . 

It was a benign virus, by that I mean it didn't destroy files, tfaat it 
did when it got into the system is add files and saturate the memory. So it 
was easily identified. But it has been dealt with effectively and eliminated 
from the systen. 

q : Could it just as easily been a malignant virus that could have destroyed 
existing programs? 

A: That is always a problem and a threat. We moved quickly enough to 
isolate it. Even had it been a malignant, more damaging virus, we would have 
caught it quickly, but yes. That is a possibility. In this case it wasn't. 

Q; Hw many computers and what installations were affected by this? 

Q; Nme some Defense Department installations that had lost their 
access, their computers on these nets. 

A: These woe primarily research users. It was identified at MIT and 
bhiversity of California, Berkeley, Stanford, in our own computers at DARPA, 
and it was isolated in that community. 

Q: Can you give us a rough number of how mar/ computers you're talking 
about? 

A: mere were several dozen installations that were affected. 
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Several dozen installations out of a network of what? 
A network of some 300. 
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Q: All kfense, you're talking? 

A: No, these were university users and part of the R&D community. 

q : There was no classified information? 

A: No classified information. 

Q: ides this indicate a potential vulnerability in your Defense computer 
network? Could such a virus be planted in systems that have a network that 
relate to classified information? 

A: We believe we have sufficient safeguards in tagging users in the 
classified system that that would not be affected on this. We can implement 
those kinds of similar systems in the ARPA net and it's a matter of cost, &> 
similar systems I mean taking the more effort to tag the users so that they 
are identified. 


Q: Could this particular virus have passed fran the network in which it 
was found into other networks, I think particularly of the WINEX and other 
national security networks? 

A: Let me defer the answer to that question to Colonel Herrick who 
managed the gateway between these different networks. 

A: To answer your question, absolutely not. They are separate networks 
and they are separate for the reason of security. So there is not a linkage 
between an unclassified network and a classified network. 

Q: It could not have gotten into NORAD or into SAC or into WINEX? 

A: Not in the scenario that you're describing, absolutely not. 

0: From this particular network it wouldn't affect it. 

A: lb. 

q : Vfoat if a user using a terminal went fran this research network, who 
was also cleared to use say a WINEX terminal or any of the others. Could 
there be any overlay under those circumstances? 

A: No, because they're separte networks, that you have to understand 
is that one of the safeguards is that WINEX, the computer network, for 
instance, is a closed community and on it are only members of that ccmmunity. 
They are unable to have access fran outside of that comnwnity so you cannot 
get on a terminal outside of that community and enter the WINEX computer 
network. You have to be in the network, you have to be cleared, you have to 
be a registered individual within the network. 

Q: I'd like to ask you if you have an effort underway as to "who done 
it" and who is investigating the possibility of finding out who did it, and 
is there anything you have to do, you said the damage was contained other 
than isolating the virus and the time that took. Does anything have to be 
done differently fran now on in your cwn systen to keep this fran occurring 
again? 

0: And also, do you have any idea where it might have originated? 

A: We don't knew yet the source of the virus. W are in the process of 
analyzing that. It’s very canplex in marching tack through the network tree 
to the source. We're still analyzing that. 
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As far as lessons learned, we understand the vulnerability. We have, in 
the case of the research network, elected to not implement all of the protective 
features that one could in terms of tagging messages in the electronic nail 
systan. We will be revisiting that and trying to decide at this point whether 
more protective features need to be added to the ARPA net systen. 

0: Is that your investigation you just mentioned, or someone else's? 

A: We're looking at it in DARPA. I started a study today. As soon as 
we isolated and found the problem we went into the mode of doing an analysis 
ol what happened and lessons learned. I don't think we w i 11 be the only ones 
to do that, but I started it in QARPA today. 

Q; When did you find the bug, and did you ever shut down? 

A: Yes, we went off the line immediately. Ihat wb the first thing we 
did, as did the other users. W found it — 

Q: The net went off the line or DARPA went off the line? 

A: QARPA went off the line. See, the problem wasn't with the network, 
it was with the canputers on the network. So the first thing to do is 
disconnect fran the network. We did that. The experts around the country at 
Stanford arid MIT and Berkeley and QARPA and elsewhere immediately were in 
contact with each other working on the fix. It ves isolated and the program 
was actually downloaded, the program that was the problem, the parasite on 
this debugging routine, was identified. So we knew precisely what the progran 
was. Therefore, wc knew precisely &at the fix was. As soon as we had put 
that fix in place we could get back on the line. We did that today. We've 
been on the line all day today as have the other users because of the confidence 
that we found the problem and fixed it. 

Q : So you were down for a day then. 

Q : You said you had not found the source. Do you know whether it came 
from MU, &ether it came fran, you don't knew the programmer, but have you 
nan-owed it down to an area of the country? 

A: No we haven't. We have not yet nan-awed it dawn to even a particular- 
location. 

0 ; What's the likelihood that you will? 

A: I think it's fairly likely that we wi 11 be able to identify the 
location, but I think it would be very difficult to in turn find the individual 
perpetrator. 

Q: Did you say that all canputers on this net are now back up and 
operating? 

A: W have no way of knowing for sure, but everybody that we have been 
in contact with that are on the net are back up on the systan. 

q. We've been talking about computer systans sort of at the two extremes, 
this unclassified data sharing network, and then NORAD type computers for 
control of forces. Waat abort all the canputers in between? The computers 
that keep track of pay records, spare parts, etcetera, etcetera. Could they 
have been vulnerable to a slop-over fran this particular virus? Or would 
they be vulnerable to an episode like this where either a prankster or a 
disgruntled employee would get on the net and screw it up? 
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A: They are, as Colonel Herrick said, they are separate networks that 
are linked by gateways. Those are control points. But I'll defer to him for 
a further answer to that question. 

A: In reference to whether or not another computer or another system 
could have been compromised or penetrated in this situation, we do not believe 
so. Tire reason is if you go back and look at specific, we have the code so 
we knew what the code vas trying to do. If you take a look at what the code 
was trying to do, it wasn't designed to do anything moie than be a nuisance. 

So the specific answer to your question is no. 

Tire larger answer to your question is when you deal in areas such as pay 
or logistics, you also have methods within that to make sure that those 
records are accurate, so there are internal checks. 

Q: I'd like to go back to an answer you gave to a previous question and 
make sure I understand you. Computer experts have been telling me today that 
this shows hew quickly and how massively a system can be affected and how 
vulnerable a systan is. Cb I hear you correctly in saying you are aware of 
hew vulnerable the system is? 

A: W have been concerned about this and have been aware of the 
vulnerability and have taken safeguards within reasonable cost of dealing 
with it. Now that question canes in of reasonable cost. Tcu can never, I 
don't believe, reduce the probability of this happening to zero. But there 
are further things that we can do to prevent it in the future, fbre 
interrogation, more tagging of users, but they are certainly possible, and in 
the more secure systans we do that, and we're going to be weighing the costs 
against the advantages of further security in the study. But: yes, there’s no 
question that ve are vulnerable to these kinds of virus attacks. 

Q: W* 1 said earlier that you had elected not to implement all of the 
potential safeguards that you knew were available. Can you tell ne same of 
the reasons that you elected not to implement all of the safeguards? 

A: As I just said, it's a cost trade. 

Q:, You suggested that the method of tagging users was part of what made 
the various classified networks that the Pentagon uses less vulnerable to 
this sort of thing. Vhat happens if a determined user is perfectly willing 
to allow himself to be identified and is disgruntled or whatever, almost a 
suicide attack if you will? Can it happen? 

A: Ten have to get into what's the probability of that happening. W 
think we've safeguarded against that to any reasonable probability. But 
that's not zero. We recognize that vulnerability and we deal with it in 
matters of security and we think we have done that. 

q : I take it that you think this was a prank that was done deliberately 

rather than it was an accident or somebody making a mistake on a terminal. 

Fran what you've seen so far, can you enlighten us on that? 

A: I don't believe it was an accident. I think it was deliberate. 
Whether it was a prank or whether it vses someone that wanted to dramatize 
just how effective propagation of a virus like this could be, I don't krow. 

But I don't think it was an accident. 
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Q: Do you see any need for criminal sanctions in this area, both as a 
deterrence and also to bring in investigative agencies when something like 
this happens that could aid your task in finding the perpetrator? 

A: I can't really answer that. I think it's something that we should 
address, but I can't from the standpoint of a DARPA Director, I can't really 
address that. 

Q : Would you go back to the beginning and be a little more explicit as 
to what you exactly saw? hhat was the phenomenon that you observed, and 
where was it? 

A: What we saw, and it occurred not in an isolated location. It was in 
several locations. I think it was first found at UC Berkeley. The system 
was generating files. It was not destroying anything, but files were being 
created, if you w i 11 junk mil. 

Q: Whs it replicating itself? 

A: It was just generating files that were not part of the system. That's 
pretty easily detected. Then the computers were immediately taken off line. 

Q: Was it printing out? 

A: ISb, you don't have to print them out in hard copy, but you see the 
files generated, and you see memory vanishing. 

Q: This was late Wednesday? 

A: Late Wednesday. 

q : How long were the canputers off line? 

A: W were starting to get back on line late yesterday so I don't know 
exactly, but I think it was around 24 hours we had it isolated and fixed. 

Q: From what you know of this virus, hew long would it have taken to do 
this program, and what level of canputer savvy was necessary to cane up with 
this? 

A: I really can't answer that. I don't know. It wasn't a neophyte. It 
ws somebody who understood the system well enough, was sophisticated enough 
to be able to tie tack to this de-bugging routine on the electronic mil 
system and know that would get propagated. 

Q: Ate there thousands of grad students who could do this, or just a 
handful of people with that knowledge? 

A: I don't knew. I couldn't answer that. 

Q: Should we add computer terrorism to our vocabulary? How do we 
protect smart weapons? 

A: As we've said, there are ways of protecting it if you're willing to 
pay the cost of doing that as security requirements are higher. In this 
case we felt it was a reasonable trade. Computer terrorism, I think we're 
living in an age where we're vulnerable to this kind of thing and that's not 
a bad term to describe it. 

Q: How serious do you consider this? We've had this before, I believe, 
with hackers getting into the Pentagon systems and playing with then. Is 
this the first time we've had this type virus in a Pentagon system or a 
research system? How sericus do you place this among these occurrences? 
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A: This is the first time we've had something like this in the network, 
but again, let me say that it's not indemic to the network. It Ckns in 
through a user. SO it wasn't a fault with the network. It was on a user 
program. 

I can tell you fran my standpoint that I take it seriously. IARPA has 
pioneered a lot of the computer network system and ARPA Net that has led to 
other networks and we're moving on in our research to ime sophisticated 
systems, and network security is going to be part of the research program. 

W take it seriously. 

Q: Can I just ask you to sum up, no damage was done at all except for 
the frustration and time lost? Or was there some real damage. If I asked 
the question what was the specific damage done here, how would you respond to 
that? 

A: The damage was lost time, here vvm no damage that we know of to 
any files or destruction of any files. 

q. What do you think it cost in terms of time lost and the effort that 
it took to clean up the mess? 

A: I don't know, because we're not done yet. Wete still going through 
the post-analysis and we are still trying to track back to the source. I 
don't know what it will be. 

Q : In the past breaches of canputer security, and instances of hackers 
breaking into things, the FBI has confiscated computer systems and has in 
fact arrested and provided witnesses and so forth against other hackers. Is 
the FBI involved in investigating this particular breach? This particular virus? 
Ate they investigating along with DCI or.. . 

A: We have been in contact with them. We have been preoccupied with 
identifying the fix and not so much on the investigation, but we've been in 
contact with them. 

q : But there is an investigation underway that you know of? Is there a 
joint DoD/Justice Department investigation? 

A: I don't know that. I meant an analysis from EARPA in trying to 
isolate what happened and understand what happened. 

Q: he letter writer to the Times or the telephone caller, suggested 
that this got aut of Fend. Fran what you've seen of the program that's in 
there, is this something that could have gotten far beyond what the prankster 
i ntended? 

A: I don't knew vhat the prankster intended, or whether it was in act a 
prankster. I don't know how to answer that. I can't say I don't believe it 
did get out of hand because we were able to isolate it and eliminate it 
quickly. 

Q: Was it beyond what he intended though? Could you tell fran the 
nature of the program? 

A: I don't know what he intended. 

Q: Do I understand you to say that as a result of this incident CARPA 
is redoing its lock at computer security, or is that an ongoing concern? Ad 
second, has this incident caused the Pentagon security people, and canputer 
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security people generally to look at all of their other systems as well? 

A: Ary time you have an event like this it heightens awareness and 
sensitivity. It's already, I believe high. Vtiat I said before was that the 
DAKPA canputer network research program is going to take an even mae active 
role in focusing on network security as well. 

q : Are the SAC and NORAD systens closed communities as you described, 
as well as.. . 

A: To the best of my knowledge. The network that I run does not include 
SAC and NORAD. 

Q: If on one end of the extreme a system that I can get into every day 
with my home computer is an open systan, and the system you describe as a 
closed community systan, where does this canputer network fit in in between? 

Is it terribly open? Is it terribly closed? 

A; If you deal in an area of research and development where you're 
dealing with colleges and universities and people where you want to take 
information and broadcast it, then you have a very open system. It was 
designed, and has been designed to be that way. 

Q: You said it was a tradeoff, cost for security. How much would a 
system cost that would have prevented this? 

A: Ihtil we finish the analysis of &at it would take, I can't put a 
price tag on that. 

0: How many users are in this network? How many canputers or users 
were shut down? Eb we have any number? 

A: I recall a number on the order of 300. That's the order of magnitude. 

Q: These are research institutions all across the United States? 

A: That's right. 

Q: I'm not as familiar with the story as I should be, but this is the 
only research network that wes shut down. There weren't others that wore 
shut dawn also? 

A: That's correct. 

Q: Again, I just sort of want to understand the chronology a bit. Wren 
you're saying it was discovered at University of California at Berkeley and 
there are 300 institutions that were shut off, how did that happen? Did 
Berkeley call Washington and say we've got a problem, cut your computer off? 
Hw did the news spread? 

A: By telephone and by the canputer network itself. Remember, these 
people are in contact, they're colleagues so they're in contact regularly 
anyway. 

Q: If it was discovered at 6:00 o'clock Pacific tine, how long before 
all these 300 knew about it? Hew long before people were getting off? 

A: I can't answer that. I know we came off immediately and I suspect 
most people did, but I can't put a time frame into it. 

Q: Is there any indication the perpetrator inserted any Trojan Horses 
full of viral infections that will come out like a time bomb later on? Could 
you isolate that out? And also, did this spread internationally at all? 
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A: No, it didn't propagate internationally that we know of. And virile 
there is always a possibility for some latent bug to wreak havoc, we're as 
certain as we can be that that didn't happen in this case because we were 
able to extract the actual program that did the damage and we understand that 
program well enough to be able to write an antidote far it. So we're pretty 
confident that that didn't happen. 
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